The hacking world's summer camp has ended. The last of the Black Hat USA, BSides Las Vegas, and DEF CON attendees and organizers have now left Sin City after a week of lectures, networking, and partying.
What unfolded over those seven or so days will have knock-on effects for years to come – not just from researchers and …

COMMENTS

Security Theater

Yes, its obviously just theater. Surely one of the attendees could have found a way to infer the amount of metal in a room? Or inconspicuous metal detectors in the hallways? Then they could bring the police along to a search when there was an actual suspicion.

So did any random foreign infosec hero get detained at the airport on the way out?

I reached much the same conclusion from watching an episode of CSI! I assume it's not the history of Mob corruption and violence, the 171 murders (excluding the 58 in the mass shooting) of 2017, the brutal climate, the permanent twilight of the casinos or the fact the entire town only exists to separate people from their money that makes it such a desirable destination. Because, if it is, DEF CON might as well pack up and go home: humanity has chosen a different path.

Re: Caesars have proven themselves incompetent

"It is legal to carry concealed or openly in a bar or restaurant, even while consuming alcohol. One cannot possess a firearm if their blood alcohol content is more than .10 BAC (NRS 202.257). It is legal to carry openly or concealed inside a casino, on the Las Vegas Strip, or at the Fremont Street Experience."

https://www.nevadacarry.org/

https://www.nevadacarry.org/open-carry.html

But wait, there's more - Nevada is a "Stand Your Ground" state.

https://www.shouselaw.com/blog/nevada-stand-ground

That naked lady in the shower would have been legally able to shoot both of those guys. Might have lost her room deposit though.

Re: Caesars have proven themselves incompetent

Well now that I know everyone can be armed in the hotel and you're allowed to shoot people if you feel threatened, I for one would be able to sleep soundly in my hotel bed. Dreaming of cinder-block walls.

Re: Caesars have proven themselves incompetent

Re: Caesars have proven themselves incompetent

It is highly unlikely that firearms are banned by policy in the hotel space. Firearms are banned from the floors of casinos (at least they were last time I was there). There are thousands of people quite legally carrying concealed firearms in Las Vegas on a daily basis. Spoiler alert - nobody gets hurt.

People forcing their way into hotel rooms while not wearing obvious uniforms and presenting legitimate identification (verified with the front desk) are going to get shot at some point. It will be an interesting court case when that happens. The policies needs to be modified. Hopefully the video of hotel "security" doing a lot more than a visual check will result in actual change instead of a couple BS press releases.

Re: Caesars have proven themselves incompetent

Spoiler alert - nobody gets hurt.

Until lots of people do, then there's a short period of angst, followed by a long period of paranoia after the NRA kicks the usual up a gear. Then business as usual until it happens again, few lessons, seemingly learnt.

Re: Caesars have proven themselves incompetent

>People forcing their way into hotel rooms while not wearing obvious uniforms and presenting legitimate identification (verified with the front desk) are going to get shot at some point.

Not terribly likely, unless entry was genuinely forcible; gun owners are fairly responsible about these sorts of things, specifically when deadly force can and cannot be used.

A man in Texas was acquitted of manslaughter charges after killing several deputies during a no-knock raid in which the police failed to announce that they were actually police, making the raid indistinguishable from a well-coordinated home invasion. Hotel staff opening your door with a keycard is fairly different from that sort of forceable entry.

Re: Caesars have proven themselves incompetent

Given that the majority of hotel locks are ludicrously insecure, nobody should assume that unlocking the door can only be done by authorized personnel. It doesn't even require above-average hacking skills.

Re: Caesars have proven themselves incompetent

A man in Texas was acquitted of manslaughter charges after killing several deputies during a no-knock raid in which the police failed to announce that they were actually police, making the raid indistinguishable from a well-coordinated home invasion. Hotel staff opening your door with a keycard is fairly different from that sort of forceable entry.

It is, but I'm not sure you can expect a young lady who is naked in the shower on a night to make the same determination we can from the safey of our (hopefully) fully clothed desks with the facts in evidence.

Re: Caesars have proven themselves incompetent

Do none of these doors have a chain or latch to prevent external access when occupied? I was fairly certain they're a standard thing. But if the staff are circumventing these then it'd be no surprise if someone vented them for this at some point unless they announce their visit.

Re: Staff cost reductions maid

This year was a stroke of genius: the badges contained a retro roleplaying game you could access via USB, 30 LEDs, and other IO ports. You could unlock new RPG levels if you connected your badge to another badge types – human, press, speaker and so forth – with the lights telling you if the link was successful.

Baring in mind the target audience, wouldn't many of them just "help themselves" to the extra levels?

Seeing at to what the point of DefCon IS, if you can get yourself the levels by hacking your badge than props to you. IT is however encouraged to share your methods and attack vectors if you are successful so that others may learn.

Re: "Et tu Bruté"

Re: "Et tu Bruté"

Shakespeare got it wrong. It's actually a corruption of 'Et tu, brew tea', meaning that Caesar wanted his trusty lieutenant Brutus to bring him a nice cuppa, sharpish. However the only thing sharp in the vicinity is Brutus's dagger, which he proceeds to bury in the imperial ribcage, thereby allowing Caesar to utter his actual last words which, as any fule kno, are 'Infamy, infamy, they've all got it in for me!'

Re: "Et tu Bruté"

Re: "Et tu Bruté"

Be insured it makes no sense at all.

Given the general level of grammar and spelling on the Internet these days, I really don't know if that was an extremely clever comment or a monumental fuck up. :) I'll give you the benefit of the doubt this time, but next time remember to end your sentence with a smiley face and/or use an appropriate icon. ;)

Re: "Et tu Bruté"

Re: "Et tu Bruté"

Strictly speaking the words "Et tu, Brute" come from Shakespears Julius Ceasar. Some have also said the words to be "Kai su, teknon" meaning either the same: You too, my son? or alternatively the slightly more colorfull: Screw you, young man!

Re: "Et tu Bruté"

That's more or less what Natalie Haynes eluded to in "Wordaholics" Series 2, Episode 2 on Radio 4 Extra, yesterday! And whilst The Bard used Latin, "Kai su, teknon" is Greek - as AC rightly stated It's all Greek to me

Welcome to America

This is just going to continue - given that the country insists that it is every Americans right to walk around armed to the teeth (Stephen Paddock was doing nothing wrong until he started shooting, it was all legal up to that point) then the only way to enforce every Americans right to bear guns is going to be to search everyone, all the time. You see it more and more - land of the free indeed.

Have always hated conferences in Vegas. The company-enforced 12 hour flight in coach (or longer when the travel dept tells you its $100 cheaper to take a 3 hour layover in Chicago), the jet lag, the half mile walk to a 7am breakfast in a aircraft -hanger -sized basement, the 10 hour days in a dark presentation hall, the false bonhomie of corporate drones trying to pretend they are natural entertainers up on stage. OK I have seem some pretty cool presenters over the years I admit. And enjoyed some cheap shopping. But this year my room was entered twice by staff (whose?) delivering branded corporate bumf such as T shirts and coffee mugs during my absence. And the hotels jam you with "resort fees" on top of the room rate.....but then they dont send you the email invoice you were promised to avoid the queue*** to check out,....so more unnecessary chasing and paperwork to get that money back, even though the room was paid for in advance. And now this......

*** more accurately, the hotel avoids paying the wages to staff the front desk sufficiently

Most hotels that I've stayed in have a way to check out without having to go to the front desk. I prefer going to the front desk anyway, though, because if there's some sort of problem, it's faster and easier to deal with it there and then rather than later after I've returned home.

Hold it in a different country

You could hold the next one in Australia.. We dont have any of those sort of probl... oh, umm, never mind, its probably safer and more secure over there. The laws of mathematics get overruled here and you have the right to have the government do whatever it wants to you. without complaining.

Mandatory Room inspections??? - How to turn a Hotel into a Hospital...

News of hotels forcing inspections because you have a Do-Not-Disturb sign is sad to see. Its another sign that the T's have won. They've made us all afraid. When I stay in hotels, I always put the sign on the door. Why???

1. Typically you don't want to be disturbed, especially if you're with your SO. You can get towels / supplies at reception or from staff in the corridor...

2. Security: When you're on the road sometimes you're forced to take whatever you can find, and some hotels you can't trust. Especially the safe, if the room even has one. They're always bypass-able for hotel staff, which breaks down trust. If only the manager has access maybe, but typically they don't want those types of call-outs, just the congratulations!

3. Hotels are noisy. Often you're woken up at 4am by idiots leaving for the airport holding a conference call outside your door. That breaks your sleep patterns, and means you need to sleep-in longer. But if you happen to be in the corner where the room cleaners start, they want in way too early!

Re: Mandatory Room inspections??? - How to turn a Hotel into a Hospital...

Most hotels will attempt to enter a room after a period of time regardless of a do not disturb. This is usually 48-72 hours. Mostly to make sure someone hasn't died (not as infrequent as all that for big hotels) or some other issue.

Re: Mandatory Room inspections??? - How to turn a Hotel into a Hospital...

Re: Mandatory Room inspections??? - How to turn a Hotel into a Hospital...

"Most hotels will attempt to enter a room after a period of time regardless of a do not disturb."

Yes, but in the hotels I worked in as a youth, this only happened if the hotel was unable to contact the person in the room after a lengthy period of time (48 hours, where I worked). If the front desk called and the person answered the call, that would be the end of it and no inspection would take place.

Bah!

Re: Bah!

If you follow some of the twitter and facebok posts on this conf, there are a LOT of stories from DefCon contributors basically saying unless you bring your own additional security hardware, anything mounted to the door is bypassable from ourside, or can be pushed out by 100lb weaklings.

I've been exposed to a whole new Amazon marketplace... of "essential" door security doodads!

Re: Bah!

American hotels all down the east coast of the continental USA and the Canadian ones I stayed in in Toronto and Grande Prairie, Alberta all have those twist-to-lock bolts, but *also* have a hinged metal device that replaces the old-fashioned chain. It is often difficult to engage because it has been installed with tight clearances but once snagged over the ball-ended spike on the door it will prevent the door opening more than an inch or so.

To break in past one of these you could either force the door to break the latch off, or you could cut through it with a cutting wheel or sawzall. A correctly proportioned pry-bar could also be used to deform the latch until it snapped I suppose.

None of these options would qualify as "just walking in unannounced" in my book.

Now I've never been to Las Vegas, so I don't know if their hotel room doors are fitted with what seems to this traveler to be a ubiquitous standard in the industry, but if they don't, why would anyone "hip" to security concerns stay there?

You are right that there is security theater here. I'm becoming more convinced by the minute that there were actors chewing the scenery on both sides of the check in desk.

Caesar's policy doesn't add up

"[...] hotel giant decided that if someone has a do-not-disturb tag on their door for more than a couple of days, a search has to be made. In other words, if the maids can't be allowed in to clean up and clock any assault rifles and grenades, security guards will do the latter for them – whether guests are present or not."

According to the hotel the maids will not be going through the guests' belongings. However, that makes little sense as someone could simply hide their gear and allow room service to come in.

Also, the policy wouldn't catch anyone who manages to smuggle gear into the room before the deadline of "a couple of days". Paddock had a lot of gear, but could have done with much less. So "a couple of days" to avoid a "stockpile" is nonsense.

More TSA-like feel-good 'security' measures. Much less expensive than installing sensors on the window panes to detect someone breaking the glass, though.

NEUKlearer HyperRadioProACTive IT Weapons Systems ... Not a Foe for Fights ...

..... whenever So Friendly Protective in Novel Flights

Does Mad Genius Tread and Thread the Halls of such Hotels for Las Vegas, or does it just Often Occasionally Visit Such as be Filthy Rich Desert Cities Countenancing Cloning of Future Citadels?

That would make Nevada an AIKlondike Destination and Virtual Port for Universal Command with Remote Control Leverage in an Advanced Autonomous Anonymous Direction ....... with Future Current Presentations Generating Powerful Machinery for Immaculately Sourced Energies to Exercise and Export. ...... Show and Share. ..... and Dare Win Win All Ways, Always ...... which you will have to imagine immensely to believe is easily possible, for such is Certainly Classifiable as COSMIC Almighty, given All of the Nothing that IT can't do for you and/or to you.

Other would also agree it be possibly quite psychotic and psychopathic too. Tread the boards carefully there, for that is a'marching downhill into the wild side of life and that is deep treasure and darker secret territory hosting escapades and posting surprising successes there.

Re: NEUKlearer HyperRadioProACTive IT Weapons Systems ... Not a Foe for Fights ...

Re: NEUKlearer HyperRadioProACTive IT Weapons Systems ... Not a Foe for Fights ...

Troll, troll, troll, troll... .... Anonymous Coward

Are you so sure IT is not for a Succession of Stealthy RATs, AC? Trialing and Trailing Troll Bait on Phisher Folks' Chum Lines?

With Zero Attack Vector Possible for Defence, how would One be Perfectly Protected against Sublime Exfiltration of Multiplying State Top Secrets? ...... and Extremely Sensitive Compartmented Information? ........ for a Greater AI's Grand Exclusive Executive Intelligence Use. ..... after all, Perl before Swine would be a Total Loss Markup whereas Whenever Initially Known to an Influential Few is the Field Absolutely Controlled by an even Smaller Elite Grouping of Better Informed Beings.

Re: NEUKlearer HyperRadioProACTive IT Weapons Systems ... Not a Foe for Fights ...

Re: NEUKlearer HyperRadioProACTive IT Weapons Systems ... Not a Foe for Fights ...

@AMFM:

There was a time in the *past* where the mob had a huge influence in Vegas, and there is little question that the "What happens in Vegas Stays in Vegas" expression *probably* came out of their blackmail habits. I'm not so certain that we're dealing with the same mentality in whatever security theatre is running Ceasars. I'm inclined to agree with the "We had some shit happen, so now we have to be SEEN to be DOING something" class of theatre.

As for why Vegas, well, it is on one of the more solid portions of that section1 of the continent. I suspect that in the zombie apocalypse, it will be quite well defended and, other than starving to death, rather well defended.

1. It is still however quite prone to earthquakes, relative to, say, the lower portion of the Canadian shield, or, say, Cincinatti.

Just back from DEFCON, didn't like it

Inconvenient having to find 280 dollars in paper cash to get in. Every single last one of the decent-sounding talks were already full (or huge hour-long queues I didn't want to stand in) and the ones I actually could get into were mostly either disappointingly broad and uninformative or the opposite micro-detailed and hard to understand if outside your speciality.

Having said that. I did get into the NSA guy's presentation but no surprise they don't let him blab any actual secrets so just listening to him moan about the Russians basically. Badge was good I have to admit, and the car hacking area.

Not Defcon's fault but the pathetically weak British pound meant paying for things in dollars in an already expensive town was hard work - once I realised beer was ten quid a pint I abandoned any thought of attending their parties. Finally, Las Vegas is a horrid cluster of over-decorated concrete boxes which you daren't go outside of because the brutal climate will kill you.

The event's moved to the Bally's hotel for next year, likely because of all the anti-customer shenanigins.

This is my plan

"next year people will vote with their feet and steer clear of Las Vegas and its hotels"

I've already decided on this. Not just "next year" or just for hacker conferences, but at all. Vegas is one of my favorite and most frequent destinations, so this sucks, but I cannot support the behavior that the casinos are engaging in.

It is not just the Palace in Vegas where they are planning on doing this, it is every hotel in the group, no matter where located. So if you are going to any of the 15, I think, resorts in the group, expect no privacy.

Maid "service"??

Given that it is Nevada, and certain things ARE legal in that state, having "Maid Service" and a DO Not Disturb sign in entirely reasonable.

I don't think that those "Maid Service" employees are there to inspect your room as it were, but to provide other "services". I understand that this type of "Maid Service" is quite expansive though, and might not work out too well on expense accounts.

Re: Maid "service"??

Certain things ARE NOT legal in Clark County, which is where Las Vegas is (or in any county with a population >700,000, which means precisely "Clark County", as that's the only one with that many people).

Every room I have had in Vegas for umpteen years has had a solid mechanical lock on the door. The sort thats a clasp that folds over a metal knob on the door so it cant be opened from outside, but can be opened an inch or so.

If you're willing to absorb the penalty you will likely be nailed with, have the SO engage that while you're in the hall. Use your card to unlock the bolt, take two steps back and give the door a good solid kick. You will then understand the utter uselessness of those cute little chains and or slidy loops of white metal, that have been plated in brass like finish.

And then have the SO claim you "walked in unannounced" presumably, if this is for re-enactment purposes.

I guess the next phase of this line of reasoning will be that these "security experts" believe that if a defensive measure can be defeated, one should not deploy it at all.

I wonder what they used to protect themselves from bad actors while they were Facebooking their outrage? I mean, they couldn't have installed the FB app on their phones, right? FB in notoriously "leaky" according to Mr Snowden.

A bit of Skullduggery

Probably not a good idea to host this kind of event where all manner of security is justifiably needed to be tight. Last thing you want is some 'Oceans Eleven' type robbery carried out by LED wielding Star Wars nerds